Armor can ingest logs from most sources. The logs are stored and can be correlated and analyzed against threat intelligence feeds from Armor and other third parties. Armor provides advanced log search and data visualization capabilities through the Armor Management Portal. The benefits of Armor's log and data management add-on include:
Enhanced security posture through the analysis and correlation of log information with other Armor telemetry sources.
Greater context to aid in more effective detection, alerting and response.
Ability to meet compliance mandates through the storing of log data for up to 13 months.
ARMOR AGENT FOR SERVERS can be configured to collect logs from the following sources:
Apache Server
Microsoft IIS
Â
Â
Â
Armor Agent - Collecting Linux and Windows Standard Logs
Use the following commands to manage the Logging service - Filebeat and Winlogbeat (for Windows only).
Windows: C:\.armor\opt\armor.exe logging help
Linux: /opt/armor/armor logging help
Â
Add new paths to filebeat config
Remove paths from filebeat config
List added config paths
Sync filebeat config
Add new paths to filebeat config
Â
Remove paths from filebeat config
Â
List added config paths
Â
Sync filebeat config
Â
Add winlogbeat event logs
Â
Remove winlogbeat event logs
Â
List Event logs
Â
Sync event logs
Â
Command Usage:
The following arguments are possible parameters for the Logging CLI feature. This allows customers to manage filebeat modules on Virtual Machines.
COMMAND
ARGUMENTSÂ
RESULT
COMMAND
ARGUMENTSÂ
RESULT
iis-enable
apache-enable
nginx-enable
Â
Enables filebeat IIS/apache/nginx. When run, module yml file will change from disabled state to enable state.
iis-disable
apache- disable
nginx- disable
Â
Disables Filebeat IIS/apache/nginx. When run the module yml file will change from enable state to disable mode.
iis-add-access-paths
apache-add-access-paths
nginx-add-access-paths
path1, path2, path3
Includes the argument paths in module yml file under the 'access_paths' section.
iis-remove-access-pathsÂ
apache-remove-access-paths
nginx-remove-access-paths
path1, path2, path3
Removes the argument paths in module yml file under the 'access_paths' section.
iis-add-error-paths
apache-add-error-paths
nginx-add-error-paths
path1, path2, path3
Includes the argument paths in module yml file under the 'error_paths' section.
iis-remove-error-paths
apache-remove-error-paths
nginx-remove-error-paths
path1, path2, path3
Removes the argument paths in module yml file under the 'error_paths' section. Removes the argument paths in module yml file under the 'error_paths' section.
iis-sync-config
apache-sync-config
nginx-sync-config
Â
The command sync the module yml file on vm with latest changes which are required.
iis-describe-config
apache-describe-config
nginx-describe-config
Â
The command displays current access & error paths which are configured in module yml file.
Â
Users can add as many paths in a single command as needed by must be comma-separated.
Linux example (multiple/one path):
Windows example (multiple/one path):
Â
Examples: Below is example usage for logging apache and similarly for iis and ngix module.
Command Usage:
Default Logging Configuration for the Armor Agent
Windows
The Armor Agent forwards logs from the System and Security event types. The specific event id's kept are as follows:
